GDPR centre

What is GDPR?

In 2012, the European Commission began a process to reform Europe's existing data protection laws by proposing a new data protection regulation to replace the current Data Protection Directive. GDPR was agreed and adopted in 2016 and came into effect on 25 May 2018.

GDPR aims to make data protection regulations:

More relevant

Updating EU data protection standards to make them more suitable for today’s world

More comprehensive

Remedying some of the perceived deficiencies of the current Data Protection Directive

More unified

Achieving a better, more harmonised standard of data protection throughout the EU

What does GDPR change?

GDPR means significant change, but it’s a great opportunity for companies to take stock of their current data processing activities and make sure they’re protecting customer data appropriately.

Demonstrable compliance

While many organisations already do the right thing when it comes to personal data, GDPR requires organisations to document and be able to show how they comply with data protection requirements. This means additional documentation of systems, processes and procedures.

Enhanced rights

On top of existing rights in the EU, like the right to access and correct personal data held by an organisation, GDPR introduces new data protection rights for individuals such as the right to obtain and reuse personal data across different services, and the right of erasure.

Privacy by design

Organisations must implement technical and organisational measures to show they have considered and integrated data compliance measures into their data processing activities. This builds on the idea that privacy should be considered from the start (and throughout) the systems and product design process.

How will GDPR impact your business?

GDPR applies to every company in the world that processes personal data about people in the EU. Check out our GDPR guide for more information on how GDPR affects your business and what you can do to make sure you stay compliant.

What has Xero done to get prepared for GDPR?

We take our responsibilities under GDPR seriously. Many months ago we embarked on a programme to identify which measures we needed to implement for GDPR compliance. Here is a summary of the some of the key things we’ve done

Data Protection Impact Assessment – We’ve implemented a DPIA procedure and integrated that into our system and product development

“We see GDPR as a positive step forward for data protection that organisations should embrace. It's a great opportunity to look under the hood and ensure data protection practices are where they need to be.”

- Gary Turner, Managing Director, Xero UK & EMEA

What’s next

GDPR has arrived and it’s here to stay. We’ve been working hard to make sure we’re ready (and yes, we’re ready) but the hard work doesn’t stop here. This is just the beginning! At Xero, we are always looking for ways to improve, and will continue to embed data protection into our systems and processes well past 25 May.

FAQs

Similar to many SaaS providers, we use a top-tier, third-party data hosting provider (Amazon Web Services) with servers located in the U.S., to host our online and mobile services. For more information about AWS’s approach to compliance with the GDPR, see https://aws.amazon.com/compliance/gdpr-center/.

Xero has no short term plans to store data in the EU, and this isn’t required under GDPR. Instead, GDPR requires companies to implement appropriate safeguards when they export personal data out of the EU.

Xero makes sure that it complies with EU data export restrictions when it exports data outside of the EU, and will be doing a full audit prior to May 2018 on the data export mechanisms it has in place to ensure they comply, and will continue to comply, with GDPR.

When personal data is hosted or processed outside of the European Economic Area by Xero, GDPR requires that it remains protected by appropriate safeguards in line with EU law. There are a few ways that Xero achieves this.

First, some of our EU customers' data is processed in New Zealand (where our Headquarters are located). New Zealand is recognised by the EU as an 'adequate' country (i.e. safe country) to receive and process EU personal data, pursuant to European Commission Decision 2013/65/EU.

When we process EU customer data in other territories, like the United States of America or Australia, we ensure "appropriate safeguards" are in place that are prescribed by GDPR – i.e., by entering into the European Commission’s Standard Contractual Clauses with the entity the data is transferred to, or by ensuring the entity is Privacy Shield certified (for transfers to US based entities).

Xero is a New Zealand-headquartered company, with offices all over the globe – we are not a US-headquartered company. Privacy Shield is only one of a few available mechanisms to transfer data outside of the EU, and certification against the Privacy Shield is not a legal requirement. We rely on a combination of measures to ensure compliance with EU data export rules, including Model Clauses.

Protecting our customers' data is fundamental to everything we do. To better understand our security practices, you can refer to our Security Pages:

Xero has also completed a SOC 2 Type 2 report. The report covers the Trust Services Principles and Criteria for Security, Availability, and Confidentiality. SOC 2 audits are carried out by Ernst and Young, so it's an independent assessment of Xero's control environment against an internationally recognised assurance standard. You can request a copy of Xero’s SOC 2 report at https://www.xero.com/about/security/soc-report/.

Yes. You can review and sign a copy of Xero’s Data Processing Addendum here. Instructions for execution are set out in the Addendum. You can either print and sign the Addendum or upload it to an e-signing tool – it's up to you. If you have any questions about its contents you can email privacy@xero.com.